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(54) Device, system and method for data access control 



(57) The invention provides for control of access to 
data which is stored in an electronic data storage device 
(18) and enables various types of permissions to be set 
for determining access to the stored data such that, if 
an attempt is made to access particular data which does 
not have a suitable permission type, access is denied. 
It is implemented as an access control device (16), such 
as a chip, which controls all access to the data storage 
device (18). This implementation is adopted since such 



electronic devices are more difficult to "hack" for access 
by an unauthorized user. The invention has a number 
of different utilizations, such as for controlling access to 
credit card information; for identifying a user according 
to a PIN or other identification information; forcontrolling 
access to a particular location according to the identity 
of the user; and for controlling access to various types 
of data files, such as music files in theMP3 format and 
so forth. 
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Description 

[0001] The present invention relates to a device, a 
system and method for data access control, particularly 
for controlling access to data stored on a data storage 5 
device, such that access is determined according to the 
mode of data storage. 

[0002] Computers are useful for the storage, retrieval 
and manipulation of data. Currently, many different 
types of electronic data storage devices are used in con- 10 
junction with computers. These electronic storage de- 
vices may be located externally or internally to the com- 
puter with which the storage device is in communication. 
For example, a magnetic storage device, such as hard 
disk drive, could be located internally to the computer, is 
in direct communication with the system bus of the com- 
puter and operated by the CPU (central processing unit) 
of the computer. Flash memory, which is both readable 
and writable, is a physically smaller storage device, 
which may be located within the physical case of the 20 
computer, and which is also connected to the system 
bus and operated by the CPU. Removable storage me- 
dia may also be used to store data, in which a hardware 
device, or "drive", for reading from and/or writing to the 
storage medium, is connected to the system bus of the *s 
computer. Examples of removable storage media in- 
clude, but are not limited to, optical disks, CD-ROM 
disks and floppy diskettes. At some level, all of these 
' , various hardware devices are in communication with the 
computer which operates the device, regardless of the 30 
location of the electronic storage device. Therefore, ac- 
cess to the data is provided through such a computer. 
[0003] One important aspect of such data storage is 
that access to the data should be controlled, for the pur- 
pose of data security. Currently, most forms of data ac- 35 
cess control are implemented as software programs, 
which have a number of disadvantages. For example, 
these programs may be "hacked" or overcome by an 
unauthorized user, who can then gain access to the da- 
ta. Such a disadvantage has become more acute with 40 
the advent of networks, distributed data storage and "cli- 
ent-server" applications, all of which increase the 
number of access points to the computer through which 
the electronic storage device is accessed and, hence, to 
the stored data on that device. Such an increased 45 
number of access points also potentially increase the 
ability of an unauthorized userto access the data. Thus, 
software programs are clearly not adequate protection 
for data stored in a networked environment with multiple 
access points. so 
[0004] Another type of data access control is provided 
through the operating system of the computer itself. For 
example, UNIX and other operating systems typically al- 
low an authorized user to determine the level of permis- 
sions associated with a particular file and/or sub-direc- ss 
tory, which could be "read-only", "read/write" and so 
forth. Unfortunately, such permissions are often relative- 
ly simple, only differentiating between "read" and "write" 



for example. Also, like other types of software programs, 
. these operating systems may be "hacked" by an unau- 
thorized user, who can then gain access to the data. 
[0005] In addition, if the electronic hardware storage 
device itself is stolen, then typically the data becomes 
completely unprotected, such that any unauthorized us- 
er can easily gain access to the data on the storage de- 
vice. Neither software programs nor the operating sys- 
tem of the computer can overcome this problem, since 
they are stored and implemented separately from the 
storage device itself. 

[0006] A more useful solution would be implemented 
with the hardware of the electronic storage device in a 
more integrated manner, such that even if the storage 
device itself is stolen, the data could not be easily ac- 
cessed. Furthermore, such integration would increase 
the difficulty of access by an unauthorized user. Unfor- 
tunately, such a solution is not currently available. 
[0007] There is thus an unmet need for, and it would 
be useful to have, a device, a system and a method for 
controlling access to data stored on an electronic stor- 
age device, which does not rely on separately stored 
software programs, which is optionally integrated with 
the hardware of the storage device, and which is signif- 
icantly resistant to access by an unauthorized user, 
even if the electronic data storage device is removed by 
an unauthorized user for such unauthorized access. 
[0008] The present invention resides in a device, a 
method and a system for providing control of access to 
data which is stored in an electronic data storage device. 
The present invention enables various types of permis- 
sions to be set for determining access to the stored data 
such that, if an attempt is made to access particular data 
which does not have a suitable permission type, access 
is denied. Preferably, the present invention is imple- 
mented as an access control device, such as a chip, 
which more preferably controls all access to the data 
storage device. This implementation is preferred, since 
such electronic devices are more difficult to "hack" for 
access by an unauthorized user. The present invention 
has a number of different utilizations, such as for con- 
trolling access to credit card information; for identifying 
a user according to a PIN or other identification informa- 
tion; for controlling access to a particular location ac- 
cording to the identity of the user; and for controlling ac- 
cess to various types of data files, such as music files 
in the MP3 format and so forth. Thus, the present inven- 
tion provides a more secure solution for the controlling 
access to data, which is useful for substantially any type 
of data storage device. 

[0009] The device of the present invention may be im- 
plemented in a number of different ways, all of which are 
considered to be within the scope of the present inven- 
tion, including but not limited to, both removable and 
permanent storage devices; devices connected to a 
computer through a USB bus or.alternatively, through 
any other suitable hardware connection interface; a sin- 
gle chip with a microprocessor and firmware for operat- 
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ing the data access features or, alternatively may be im- 
plemented as data storage with logic only, and so forth. 
The important feature of the present invention is that it 
enables a plurality of different types of data access to 
be combined in a single storage device. The device of 5 
the present invention is flexible and is able to store data 
according to several different access types within a sin- 
gle device. Furthermore, the present invention may op- 
tionally determine the type of data access according to 
information which is appended to the stored data, such 10 
that the type of data access is defined according to a 
"soft", data-based definition, rather than according to a 
"hard" definition which is implemented only in the hard- 
ware itself. 

[0010] According to the present invention, there is *5 
provided a system for controlling access to stored data, 
the system comprising: (a) an electronic data storage 
device for storing the stored data; and (b) an access 
control device for controlling access to said electronic 
data storage device, such that the stored data is only 20 
accessed through said access control device, and such 
that said access control device determines access to the 
stored data according to at least one permission. 
[001 1] The electronic data storage device and the ac- 
cess control device may optionally be implemented as 25 
a single chip, or alternatively may be embodied in two 
separate functional components, for example. 
[0012] According to another embodiment of the 
present invention, there is provided a device for control- 
ling access to data stored in an electronic data storage 30 
device, the device comprising: (a) an input for receiving 
a request to access the stored data; (b) a non-volatile 
memory for storing at least one permission for determin- 
ing access to the stored data; (c) at least one instruction 
for determining a permitted access according to the at 35 
least one permission, said at least one instruction being 
stored on said non-volatile memory; and (d) a processor 
for executing said at least one instruction and for com- 
paring said request to said at least one permission, such 
that if said at least one permission includes a type of *o 
access requested in said request, the stored data is pro- 
vided, and alternatively if said at least one permission 
does not include a type of access requested in said re- 
quest, the stored data is not provided. 
[0013] According to yet another embodiment of the 45 
present invention, there is provided a method for con- 
trolling access to data stored in an electronic data stor- 
age device, the method comprising the steps of: (a) pro- 
viding an access control device for determining access 
to the electronic data storage device; (b) receiving a re- so 
quest to access the stored data by said access control 
device; (c) comparing said request to at least one per- 
mission for determining access to the stored data by 
said access control device; (d) if said at least one per- 
mission includes a type of access requested in said re- ss 
quest, performing said request for accessing the stored 
data from the electronic data storage device by said ac- 
cess control device; and (e) alternatively, if said at least 



• one permission does not include said type of access re- 
quested in said request, rejecting said request by said 
access control device. 

[0014] Hereinafter, the terms "computer user" and 
"user" both refer to the person who operates a computer 
which is in communication with a data storage device. 
[0015] Hereinafter, the term "computer" refers to a 
combination of a particular computer hardware system 
and a particular software operating system. Examples 
of such hardware systems include those with any type 
of suitable data processor. Hereinafter, the term "com- 
puter" includes, but is not limited to, personal computers 
(PC) having an operating system such as DOS, Win- 
dows™, OS/2™ or Linux; Macintosh™ computers; 
computers having JAVA™ -OS as the operating system; 
and graphical workstations such as the computers of 
Sun Microsystems™ and Silicon Graphics™, and other 
computers having some version of the UNIX operating 
system such as AIX™ or SOLARIS™ of Sun Microsys- 
tems™; a PalmPilot™, a PilotPC™, or any other hand- 
held device; or any other known and available operating 
system. Hereinafter, the term "Windows™" includes but 
is not limited to Windows95™, Windows 3.x™ in which 
,M x" is an integer such as "1", Windows NT™, 
Windows98™, Windows CE™ and any upgraded ver- 
sions of these operating systems by Microsoft Corp. 
(USA). 

[0016] For the present invention, a software applica- 
tion could be written in substantially any suitable pro- 
gramming language, which could easily be selected by 
one of ordinary skill in the art. The programming lan- 
guage chosen should be compatible with the computer 
by which the software application is executed, and in 
particularly with the operating system of that computer. 
Examples of suitable programming languages include, 
but are not limited to, C, C++ and Java. Furthermore, 
the functions of the present invention, when described 
as a series of steps for a method, could be implemented 
as a series of software instructions for being operated 
by a data processor, such that the present invention 
could be implemented as software, firrmware or hard- 
ware, or a combination thereof. 
[0017] In order that the present invention may be 
more readily understood, reference will now be made to 
the accompanying drawings, in which: 

FIG. 1 is a schematic block diagram of an exempla- 
ry system according to the present invention; and 
FIG. 2 shows a flowchart of an example of a method 
according to the present invention. 

[0018] The device of the present invention may be im- 
plemented in a number of different ways, all of which are 
considered to be within the scope of the present inven- 
tion. For example, the device of the present invention 
may be implemented as a removable device for tempo- 
rary connection to a computer or, alternatively, may be 
implemented as a permanent storage device. The de- 
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vice may optionally be connected through a USB bus 
or,alternatively,through any other suitable hardware 
connection interface, for example. As another option, 
the device may feature a single chip with a microproc- 
essor and firmware for operating the data access fea- 
tures, or alternatively may be implemented as data stor- 
age with logic only. For the latter, implementation, the 
device is preferably connected to a computer which op- 
erates software for interacting with the logic of the de- 
vice and.hence.for performing the data access method 
of the present invention. Alternatively, the device may 
be composed of a plurality of separate functional units 
which are not combined in a single chip. 
[0019] Regardless of the type of implementation of 
the device of the present invention, the important feature 
of the present invention is that it enables a plurality of 
different types of data access to be combined in a single 
storage device. Unlike background art storage devices 
which are generally restricted to a single type of data 
access in terms of the hardware implementation, the 
present invention is flexible and is able to store data ac- 
cording to several different access types within a single 
device. Furthermore, the present invention may option- 
ally determine the type of data access according to in- 
formation which is appended to the stored data, such 
that the type of data access is defined according to a 
"soft", data-based definition, rather than according to a 
"hard" definition which is implemented only in the hard- 
ware itself. 

[0020] The principles and operation of a device, a sys- 
tem and a method according to the present invention 
may be better understood witfi reference to the drawings 
and the accompanying description, it being understood 
that these drawings are given for illustrative purposes 
only and are not meant to be limiting. Furthermore, al- 
though the following discussion centers upon a remov- 
able device which is preferably connected to a USB bus, 
it is understood that this is for the purposes of descrip- 
tion only and is not intended to be limiting in any way. 
[0021] Referring now to the drawings, Figure 1 is a 
schematic block diagram of an illustrative, exemplary 
system according to the present invention for controlling 
data access. A system 10 features a CPU 12 for exe- 
cuting instructions, such as a request to read data for 
example. CPU 12 is connected to a bus 14. An access 
control device 16 is also connected to bus 14, such that 
access control device 16 is in communication with CPU 
12 through bus 14. Bus 14 is preferably a USB (universal 
serial bus), although of course bus 14 may alternatively 
be implemented as any other suitable type of bus con- 
nection. 

[0022] A data storage device 18 is in communication 
with access control device 16, such that any attempts 
to access data in data storage device 18 must pass 
through access control device 16. Preferably, as shown, 
data storage device 18 is not in direct communication 
with bus 14. Therefore, if CPU 12 receives an instruction 
to read data from data storage device 18, CPU 12 pref- 



erably cannot directly read such data by sending a com- 
mand through bus 14 directly to data storage device 18. 
Rather, preferably CPU 12 must send the command to 
access control device 16, which then determines if such 
5 access should be granted and the data read from data 
storage device 18. Thus, more preferably, data can only 
be read from, and written to, data storage device 18 
through access control device 16. 
[0023J Access control device 16 is optionally imple- 
10 mented according to a plurality of different embodi- 
ments, at least partially determined by the particular 
type of data storage device 18. For example, access 
control device 16 could optionaHy be implemented as a 
chip, with a non-volatile memory which is both readable 
is and writable, such as a flash memory device for exam- 
ple, some type of input for receiving a request for data, 
and a microprocessor. As described in greater detail be- 
low, the various types of permissions could optionally 
be stored on the non-volatile memory, along with a set 
20 of instructions operated by the microprocessor. The chip 
could also be implemented as a programmable ASIC. 
[0024] When access control device 16 receives a re- 
quest for particular data which is stored in data storage 
device 18, the stored instructions are executed by the 
25 microprocessor in order to compare the request for the 
data to the stored permissions. If the stored permissions 
are such that the data request may be fulfilled, as de- 
scribed in greater detail below, then access control de- 
vice 16 enables data to be retrieved from data storage 
30 device 1 8. Otherwise , access control devjce 1 6 does not 
enable the data to be retrieved. Since preferably data 
storage device 1 8 can only be accessed through access 
control device 1 6, if such access is not granted by ac- 
cess control device 16, then the data cannot otherwise 
35 be retrieved. 

[0025] Access control device 16 could also optionally 
be directly integrated into data storage device 18. For 
example, if data storage device 18 is a flash memory 
device, which is typically embodied as a chip, then the 
40 functions of access control device 16 could be integrat- 
ed into the chip itself. For example, data storage device 
1 8 could be incorporated into a single chip with a micro- 
processor for access control device 16, and firmware for 
operating the data access features. Alternatively, ac- 
45 cess control device 1 6 may optionally only feature logic, 
such that access control device 16 would interact with 
CPU 12 for operating software for interacting with the 
logic and.hence.for performing the data access method 
of the present invention. Alternatively, access control 
50 device 16 and data storage device 18 may be imple- 
mented as a plurality of separate functional units which 
are not combined in a single chip. 
[0026] However, the implementation of access control 
device 16 as a chip, or other electronic device, whether 
55 integrated into, or separate from, data storage device 
18, is particularly preferred since such an implementa- 
tion also enables the security of access control device 
1 6 to be more easily maintained, as electronic hardware 
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devices are more difficult to "hack" for.unauthorized ac- 
cess. As described above, access control device 16 is 
preferably implemented as firmware, which combines 
software instructions stored on a hardware memory, 
with additional hardware components such as a micro- 
processor for performing the instructions. 
[0027] According to preferred embodiments of the 
present invention, system 10 enables a plurality of dif- 
ferent types of permissions for accessing data to be 
stored by access control device 16, such that a variety 
of different types of data access can be provided. As an 
example, one type of permission could be a standard 
read and write permission, but with write protection, 
such that access control device 16 would permit data to 
be read from data storage device 18, but would block 
an attempt to write data to data storage device 18. If 
such a permission is to be stored in an abbreviated 
code, the code for this particular type of permission 
could be given as "R/W/WP", for example. Such a code 
could optionally be stored in the non-volatile memory of 
access control device 16, for example. However, the 
permission is such that it could be changed to permit 
such write access, or a read and write permission with 
no write protection, with a code as follows: R/W/NP. 
These standard types of read and write'permissions are 
often used for hard disks, floppy diskettes and other 
storage media, for example. 

[0028] The present invention also preferably enables 
more complex types of permissions to be implemented. 
For example, the permission could be given as "write 
once and read many times", 'or "WO/RM" in code form, 
such that the data could only be written to data storage 
device 1 8 once, but could be read from data storage de- 
vice 18 many times. One example of a useful implemen- 
tation of such a permission is the storageof a picture for 
identifying a user, for example in order to permit access 
to a particular location. 

[0029] Another type of optional but preferred imple- 
mentation of a permission is "write once, no read, com- 
parison with yes/no answer only", or "WO/NR/C" in code 
form. This type of permission indicates that the data can 
only be written to data storage device 18 once and can- 
not be read from data storage device 18. However, ac- 
cess control device 16 can enable the data to be com- 
pared with received data, but would only provide infor- 
mation in the form of a "yes" or "no" answer as a result 
of the comparison. One example of a useful implemen- 
tation of such a permission is for a PIN (personal iden- 
tification number) or other number for identifying a user, 
such as for accessing a bank account or using a credit 
card. Access control device 16 can receive data in the 
form of the PIN or other information entered by the user, 
and can then compare the received data to data which 
is stored in data storage device 18. Access control de- 
vice 16 would then confirm whether the correct PIN or 
other identification information had been entered by re- 
turning a positive or negative comparison. The stored 
data would not be released from data storage device 18, 



such that the PIN could not be read from data storage 
device 18 by an unauthorized user. Thus, data security 
would be maintained, while still enabling the identity of 
the user to be confirmed according to an entered PIN or 

5 other identification information. 

[0030] One variation of this type of permission incor- 
porates permission, or lack thereof, for updating the 
stored data. With regard to the example above, the PIN 
or other identification information could optionally be 

10 changed for updating, if the permission is given as up- 
datable, or WO/NR/C/U in code form. Alternatively, if the 
permission is given such that the data cannot be updat- 
ed, or WO/NR/C/U in code form, then the data cannot 
be altered. 

'5 [0031] A more specific example of these different 
types of permissions, and their use thereof, is given be- 
low with regard to Figure 2, which features a flowchart 
of an illustrative and exemplary method according to the 
present invention for controlling data access. 

20 [0032] Figure 2 shows a flowchart of an example of a 
method according to the present invention, with regard 
to access to data in the form of a stored credit card 
number. In step 1, a plurality of different types of infor- 
mation are combined to form the credit card number. 

25 Preferably, the format of the credit card number is given 
as follows:YYYZ2ZDDDAAA, in which YYY is a code 
which identifies the originator of the credit card data, 
such as the provider of the credit card; ZZZ is an iden- 
tification number for the credit card account, which cur- 

30 rently forms the credit card number in background art 
implementations of a credit card; DDD, which optionally 
features other data about the credit card account, such 
as the date when the credit card was issued, where the 
credit card was issued, the expiration date and so forth; 

35 and AAA, which optionally and preferably is a PIN as 
previously described. 

[0033] In step 2, each portion of the credit card 
number is stored with a separately selected and as- 
signed data access permission, which optionally and 

40 preferably is different for each portion of the number. For 
example, preferably "YYY", "ZZZ" and "DDD" are each 
stored with the permission assigned as WO/RM (write 
once, read many times); AAA is preferably stored with 
the permission assigned as WO/NR/C/U (write once, do 

45 not read, compare only, updatable). These permissions 
are described in greater detail above. 
[0034] In step 3, the user attempts to purchase a prod- 
uct with the credit card number. In step 4, the merchant 
or other party receiving the payment enters the credit 

50 card number. It should be noted that this step is option- 
ally performed substantially automatically, for example 
for e-commerce through a Web site. In step 5, the ac- 
cess control device receives the credit card number. 
[0035] In step 6, the access control device determines 

55 the type of permission for each portion of the credit card 
number. In step 7, the access control device performs 
the commands which are permitted, optionally including 
reading the portions of the credit card number which are 
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designated as "YYY", "ZZZ" and "DDD", and performing Claims 
a comparison with the portion of the credit card number 
which is designated as "AAA". In step 8, the permitted 
information is returned by the access control device. 
Thus, this illustrative method is an example of the utility 
of the present invention for validating a credit card 
number for performing a purchase. 
[0036] Other types of data which could be stored with 
an assigned type of permission according to the present 
invention include, but are not limited to, an access con- 
trol code, an identification code and various types of da- 
ta files, as described in greater detail below. 
[0037] For example, an access control code could be 
implemented with a combination of different types of da- 
ta, each of which could again feature a separately se- 
lected and assigned data access permission, which op- 2. 
tionally and preferably is different for each portion of the 
data. If the access control code is implemented as a 
number, then preferably these different types of data are 
as follows, with the data access permissions. The first 20 3. 
portion of the access control code is optionally a code 
which identifies the data as an access control code, and 
which is preferably stored as "WO/RM". The second 
portion of the access control code is preferably the ac- 
cess code itself, and is preferably stored as "WO/NR/C/ 25 , 
U". 4. 
[0038] Similarly, an identification code is optionally 
and preferably composed of a first portion which identi- 
fies the data as an identification code, and which is pref- 
erably stored as "WO/RM", and a second portion which 
is the unique identification code, for example for a hard- 
ware device, which is preferably stored as "WO/RM". 
[0039] Other types of data files may be stored with as- 
sociated permission types as desired, which are con- 
structed as previously described. For example, most da- 
ta files are preferably stored as "R/W" data, with the de- 
cision to permit writing to the data ("R/W/WP") or not to 
permit such writing ("R/W/NP"), decided according to 
user preference. Thus, the present invention can ac- 
commodate many different types of uses for the control 
of data access. 

[0040] According to another optional embodiment of 
the present invention, data could be stored on the stor- 
age device according to a data access type which may 
be defined as "read a few times, then delete". According 
to this preferred type of data access, a file would be 
stored on the device of the present invention and could 8. 
then be read only a predefined number of times, which 
preferably would be a plurality of different read times. 
After the data had been read the predefined number of 
times, the device of the present invention would then 
delete the data, or otherwise render the data inaccessi- 
ble for an additional data read. This type of data access 
is preferred for file types such as MP3 music files, which 
may be provided by a vendor for only such a predefined 
number of data read accesses, for example in order to 
prevent the unauthorized redistribution of such files. 
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1 . A system for controlling access to stored data, the 
system comprising: 

(a) an electronic data storage device for storing 
the stored data; and 

(b) an access control device for controlling ac- 
cess to said electronic data storage device, 
such that the stored data is only accessed 
through said access control device, and such 
that said access control device determines ac- 
cess to the stored data according to at least one 
permission. 

2. The system of claim 1 , wherein said electronic data 
storage device and said access control device are 
implemented on a single chip. 

The system of claim 2, wherein said access control 
device includes a microprocessor and firmware for 
storing a plurality of instructions, such that said ac- 
cess control device determines said access accord- 
ing to said instructions of said firmware. 



The system of claim 2, wherein said access control 
device is only logic, the system further comprising: 

(c) a software program for containing a plurality 
of instructions for determining said access to 
said data storage device; and 

(d) a data processor for operating said software 
program. 

The system of claim 4, wherein said data storage 
device and said access control device are con- 
tained on said chip, and wherein said chip is includ- 
ed in a removable device. 

The system of claim 1 , wherein said data storage 
device and said access control device are imple- 
mented as a plurality of separate components. 
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7. The system of claim 1 , wherein said access control 
device is implemented as a programmable ASIC. 



The system of claim 1 , wherein said access control 
device further comprises: 

(i) an input for receiving a request to access the 
stored data; 

(ii) a non-volatile memory for storing at least 
one permission for determining access to the 
stored data; 

(iii) at least one instruction for determining a 
permitted access according to the at least one 
permission, said at least one instruction being 
stored on said non-volatile memory; and 
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(iv) a processor for executing said at least one 
instruction and for comparing said request to 
said at least one permission, such that if said 
at least one permission includes a type of ac- 
cess requested in said request, the stored data 5 
is provided, and alternatively if said at least one 
permission does not include a type of access 
requested in said request, the stored data is not 
provided. 

10 

9. The system of claim 8, wherein said non-volatile 
memory is a flash memory device. 

10. The system of claim 9, further comprising: 

15 

(c) a CPU (central processing unit) for transmit- 
ting said request to said access control device 
and for receiving provided data; and 

(d) a bus for connecting said CPU to said ac- 
cess control device, such that said electronic 20 
data storage device is not accessed through 
said CPU, but only through said access control 
device. 

1 1 . The system of claim 1 0, wherein said bus is a USB 25 
(universal serial bus). 

12. The system of claim 11 , wherein said at least one 
permission is for comparing said request to the 
stored data and for returning a positive or negative 30 
comparison, such that if said request is identical to 

the stored data, said comparison is positive, and al- 
ternatively such that if said request is not identical 
to the stored data, said comparison is negative, and 
such that the stored data is not read. 35 

13. The system of claim 1 , wherein said access control 
device is integrated with said electronic data stor- 
age device. 

40 

14. A device for controlling access to data stored in an 
electronic data storage device, the device compris- 
ing: 

(a) an input for receiving a request to access *s 
the stored data; 

(b) a non-volatile memory for storing at least 
one permission for determining access to the 
stored data; 

(c) at least one instruction for determining a so 
permitted access according to the at least one 
permission, said at least one instruction being 
stored on said non-volatile memory; and 

(d) a processor for executing said at least one 
instruction and for comparing said request to 55 
said at least one permission, such that if said 

at least one permission includes a type of ac- 
cess requested in said request, the stored data 



is provided, and alternatively if said at least one 
permission does not include a type of access 
requested in said request, the stored data is not 
provided. 

1 5. The device of claim 1 4, wherein the device is imple- 
mented as a programmable ASIC. 

16. The device of claim 14, wherein said non-volatile 
memory is a flash memory device. 

1 7. A method for controlling access to data stored in an 
electronic data storage device, the method com- 
prising the steps of: 

(a) providing an access control device for de- 
termining access to the electronic data storage 
device; 

(b) receiving a request to access the stored da- 
ta by said access control device; 

(c) comparing said request to at least one per- 
mission for determining access to the stored 
data by said access control device; 

(d) if said at least one permission includes a 
type of access requested in said request, per- 
forming said request for accessing the stored 
data from the electronic data storage device by 
said access control device; and 

(e) alternatively, if said at least one permission 
does not include said type of access requested 
in said request, rejecting said request by said 
access control device. 

18. The method of claim 17, wherein said type of ac- 
cess includes permission to read from the stored 
data, such that step (d) includes the step of reading 
from the stored data. 

19. The method of claim 17, wherein said type of ac- 
cess includes permission to write to the stored data, 
such that step (d) includes the step of writing to the 
stored data. 

20. The method of claim 17, wherein said type of ac- 
cess only includes comparing said request to the 
stored data and for returning a positive or negative 
comparison, such that if said request is identical to 
the stored data, step (d) includes the step of return- 
ing a positive comparison, and alternatively such 
that if said request is not identical to the stored data, 
step (d) includes the step of returning a negative 
comparison, such that the stored data is not read. 

21 . The method of claim 1 7, wherein the stored data is 
a credit card number, and said credit card number 
features a plurality of types of data, each of said plu- 
rality of types of data being stored with a separately 
selected access permission. 
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22. The method of claim 17, wherein the stored data 
has a permission for a predetermined number of da- 
ta read accesses, such that step (c) includes the 
steps of: 



(i) determining a number of performed data 
read accesses for the stored data; and 

(ii) if said number of performed data read ac- 
cesses is less than said predetermined number 

of data read accesses, permitting the stored da- 10 
ta to be read. 
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